Vigil@nce: Linux kernel, denial of service via pipe_fcntl
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the splice() and fcntl() functions, in
order to stop the system.
– Severity: 1/4
– Creation date: 30/11/2010
DESCRIPTION OF THE VULNERABILITY
The splice() system call transfers data between a file descriptor
and a kernel memory area managed by a special pipe, with no copy
to user’s space memory.
The fcntl() function manages a file descriptor. When the
descriptor is a spliced pipe, fcntl() calls the pipe_fcntl()
function, which accesses to the file->f_path.dentry->d_inode->i_pipe
field. However, this field is not a real pipe, and its usage stops
the kernel.
A local attacker can therefore use the splice() and fcntl()
functions, in order to stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-pipe-fcntl-10164